It can use a separate encryption (AES, CAMELLIA, SERPENT, TWOFISH, 3DES, etc) + integrity (SHA2, SHA1, AES_XCBC, MD5, etc) mode or it can use an AEAD cipher that combines these two into one (AES GCM, AES CCM, CAMELLIA GCM, etc) IPsec itself can use various ciphers and algorithms. Although everyone is talking about breaking IPsec, what they really mean is breaking the Internet Key Exchange (IKE) that is used to negotiate and create symmetric keys that are used with IPsec for encryption and decryption. As a result one can mount an offline dictionary attack.įirst, let’s clarify things a little bit. The exception to this is IKEv1 Aggressive Mode, where the MAC computed with the PSK as secret key is sent Update 3: Just to make it clear – To break IKE PSKs, you first need to break the initial DiffieHellman exchange, which is usually MODP1024 or MODP1536 in the bad cases (and MODP2048+ in the good cases). If the PSK has a Shannon Entropy of less than 3.5, a warning will sound and in 6 months it will refuse to use that PSK. To determine the strength of the PSK, I used the Shannon Entropy value. Update 2: To stop the NSA HappyDance, I just commited code to libreswan IPsec to warn about weak PSKs with a message notifying the sysadmin that as of July 1st, 2015, libreswan will refuse those weak PSKs. A major goal of APEX is to access two sides of key exchanges of traffic of interest” Update 1: from media-35513.pdf (“TURMOIL/APEX/APEX High Level Description Document”):ĬES generally requires the packets from both sides of an IKE exchange and knowledge of the associated pre-shared key (PSK) in order to have a chance of recovering a key for the corresponding cipher (ESP). Also, the NSA sneaks into your router to steal your PSK’s so they can decrypt all your traffic. The NSA has their own version of IKEcrack running on millions of dollars worth of CPU’s. If you really need to use PSK, use a strong shared secret that cannot be brute forced. Always use Perfect Forward Secrecy (“pfs=yes” wich is the default in libreswan IPsec) and avoid PreSharedKeys (authby=secret which is not the default in libreswan IPsec). The “TL DR” summary of what follows below is: If you configure your IPsec based VPN properly, you are not affected. Today, Laura Poitras and Jake Appelbaum spoke at the 31C3 conference and in collaboration with Der Spiegel published an interesting article on VPN exploitation by the NSA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |